Don't know if this is the right place, but cannot find an answer elsewhere.
Using Windows XP media centre edition with SP2. belongs to a Lao woman in the office. Displays a picture of a naked woman on the desktop which can not be moved. causes great embarrassment.
Found it in screensavers, named 'sex picture.scr' stored in Windows. described as AutoCAD file.Unlocked Windows from read only, wiped it, it came straight back. searched for other files on download date (July 3 2006) two other files, same size 50K named .VirusUpdate' and Virus Scan
Each time I delete them they come back. ran various virus scan programs who declare my system healthy.
Help

Answer Wiki

You (or actually the Lao lady) have been bitten by one of those two-part pests similar in spirit to “about:blank”, where the infection itself (naked pic in this case) can be found, but not the actual source which sits quietly in the background, and does nothing EXCEPT reinstall the pest whenever it notices that it’s missing.

First step would be to get copies of HijackThis, and Autoruns (Sysinternals utilities – now on Microsoft TechNet’s web site), and perform a full scan of the system with each of them. Use the option to ignore Microsoft-digitally-signed files to cut down on what all you have to examine.

For every service, DLL, exe, etc. remaining in the list, look it up (with a details view) and check the time/date stamp for created, modified, and accessed. The file you’re interested in should be opened with NOTEPAD (or a hex editor) to see if it references the file in question inside itself.

Also, show the Windows, System, and System32 directories with details showing, and look for any DLLs that have inappropriate date stamps on them (usually similar to the infection date stamp, but not always). Rename them to xxxxx.dll.old and reboot to see if the problem goes away.

You can also get regmon and filemon from the same site, and see if you can trap the event that installs the unwanted file, but that’s more labor intensive and should be reserved in case the first method fails.

Write back if you need more assistance. I’ve uncovered and cleaned many similar pests over the last several years.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your response...

Discuss This Question: 2 &nbspReplies

There was an error processing your information. Please try again later.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Bob's solution does fix the problem, but does nothing from stopping it from happening again.
Download and run SpyBot S&D, get the updates, immunize scan your system, fix the problems, reboot. Open Spybot again (if it doesn't start up automatically) and go to Tools > Startup, uncheck anything that shouldn't be running (this includes all the proprietary stuff like qttask and jusched that don't need to be running all the time), from here you can also stop the offending app from starting if it wasn't removed. Once done, go to Resident and make sure Teatimer is running which will force the user to OK any registry changes in the future (you can actually set this option during the initial run after you install spybot). Granted however, the user is going to have to be smart enough to not allow malware to write to the registry.
Another thing your friend should be doing is running as a user without write permissions to the Windows directory.

Key point that you may have missed in your search for the culprit. It's very easy to get focused on the visible problem. (Been there, done that - and sometimes STILL do that)
Remember that this is a two-part nuisance. The second part is very quiet and not generally detected by anti-spyware or anti-virus. The only thing it does is to re-install the pest.
Open a command prompt, and click on the "C:" icon on the upper left and select properties. When that window opens, select the "Layout" folder tab, and set the Width to 200 and Rows to 9999 (as large as possible)
When you OK, select the "Save properties..." option
CD to the root directory ("cd ") and then then perform (in series) "dir *.dll /s /od".
This will look for DLLs in all directories, and then sort them by date.
Alternately, you can do "Start -> Search"l and then search for all files.... and look for *.dll, and select a date before the first appearance of the problem.
Nailing down this sort of problem is NOT trivial, but it IS within your reach. You just have to stay focused on the real objective. I speak from countless hours of experience in trying to track these things down, and getting sidetracked by what appeared to be the problem - and then losing track of my actual goal.
If you still have problems, contact me privately, and I'll try to help that way.
Bob

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

Ask a Question

Free Guide: Managing storage for virtual environments

Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!

To follow this tag...

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy